-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 07/31/2013 12:55 PM, Bram Mertens wrote: > Hi, > > I have just lost several hours trying to figure out why I was unable to > deploy a file from a configuration channel in our satellite server to a > RHEL6 box while it deployed perfectly to a RHEL5 box. > > I finally tracked it down to the fact that the user context was set to > unconfined_u while the rest of the context was set correctly. > > On RHEL5 rhncfg-client get worked flawlessly and deployed the file with a > *different* user context (system_u) without complaining. On RHEL6 > chncfg-client crashed complaining about the SElinux context - which > differed only in the user context. > > Here's what I found (I also posted this as a follow up on the rhn-satellite > mailing list): > > I see some very strange behaviour of SELinux on this RHEL6 box. > > on RHEL5 the following works as expected: > > The default SELinux security context for /etc/sssd/sssd.conf is: > [mertensb@testadintegration01 ~]$ sudo /usr/sbin/matchpathcon > /etc/sssd/sssd.conf /etc/sssd/sssd.conf system_u:object_r:etc_t > > Which is also what is currently applied: [mertensb@testadintegration01 ~]$ > sudo ls -lZ /etc/sssd/sssd.conf -rw------- root root > system_u:object_r:etc_t /etc/sssd/sssd.conf > > So matchpathcon is able to verify the context. > [mertensb@testadintegration01 ~]$ sudo /usr/sbin/matchpathcon -V > /etc/sssd/sssd.conf /etc/sssd/sssd.conf verified. > > Testing a randomn other file to verify that matchpathcon works: > [mertensb@testadintegration01 ~]$ touch /tmp/proftpd > [mertensb@testadintegration01 ~]$ sudo ls -lZ /tmp/proftpd -rw-rw-r-- > mertensb mertensb user_u:object_r:tmp_t /tmp/proftpd > [mertensb@testadintegration01 ~]$ sudo mv /tmp/proftpd > /etc/cron.monthly/proftpd [mertensb@testadintegration01 ~]$ sudo ls -lZ > /etc/cron.monthly/proftpd -rw-rw-r-- mertensb mertensb > user_u:object_r:tmp_t /etc/cron.monthly/proftpd > [mertensb@testadintegration01 ~]$ sudo /usr/sbin/matchpathcon > /etc/cron.monthly/proftpd /etc/cron.monthly/proftpd > system_u:object_r:ftpd_exec_t [mertensb@testadintegration01 ~]$ sudo > /usr/sbin/matchpathcon -V /etc/cron.monthly/proftpd > /etc/cron.monthly/proftpd has context user_u:object_r:tmp_t, should be > system_u:object_r:ftpd_exec_t > > But on the RHEL6 machine I get: [mertensb@defrltot002 ~]$ sudo ls -lZ > /etc/sssd/sssd.conf -rw-------. root root unconfined_u:object_r:etc_t:s0 > /etc/sssd/sssd.conf [mertensb@defrltot002 ~]$ sudo /usr/sbin/matchpathcon > /etc/sssd/sssd.conf /etc/sssd/sssd.conf system_u:object_r:etc_t:s0 > [mertensb@defrltot002 ~]$ sudo /usr/sbin/matchpathcon -V > /etc/sssd/sssd.conf /etc/sssd/sssd.conf verified. > > Repeating my test of matchpathcon: [mertensb@defrltot002 ~]$ touch > /tmp/proftpd [mertensb@defrltot002 ~]$ sudo mv /tmp/proftpd > /etc/cron.monthly/proftpd [mertensb@defrltot002 ~]$ sudo ls -lZ > /etc/cron.monthly/proftpd -rw-r--r--. mertensb ISOP > unconfined_u:object_r:user_ tmp_t:s0 /etc/cron.monthly/proftpd > [mertensb@defrltot002 ~]$ sudo /usr/sbin/matchpathcon > /etc/cron.monthly/proftpd /etc/cron.monthly/proftpd > system_u:object_r:ftpd_exec_t:s0 [mertensb@defrltot002 ~]$ sudo > /usr/sbin/matchpathcon -V /etc/cron.monthly/proftpd > /etc/cron.monthly/proftpd has context unconfined_u:object_r:user_tmp_t:s0, > should be system_u:object_r:ftpd_exec_t:s0 > > Both have the same sssd SELinux policy loaded: RHEL5: > [mertensb@testadintegration01 ~]$ sudo /usr/sbin/semodule -l|grep sssd sssd > 1.0.2 RHEL6: [mertensb@defrltot002 ~]$ sudo /usr/sbin/semodule -l|grep > sssd sssd 1.0.2 > > Digging further I found out that if only the user context is different > matchpathcon returns OK. See > http://manpages.ubuntu.com/manpages/karmic/man3/matchpathcon.3.html > > I also found a post on this list indicating that restorecon has a forece > option to make it set the user context which it doesn't do by default: > http://fedora.12.x6.nabble.com/restorecon-isn-t-restoring-what-matchpathcon-shows-td2645478.html > > So why isn't the user context set/reset by default? After all it clearly > leaves the system in a broken state. > > And why doesn't matchpathcon have a similar force option to make it check > the entire context? > > Thanks in advance. > > Bram Mertens -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux > Well the user component is ignored on almost every SELinux System and all that are shipped with policy from Red Hat. The first couple of paragraphs of http://danwalsh.livejournal.com/63586.html explain this. restorecon main goal is to fix the "type" portion of the SELinux label and not to touch the User component or the MLS field unless you specify -F. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlH5RVsACgkQrlYvE4MpobPujACgyNguC2utjf+9Mkd7RYBaifTW eEwAoN7+WmSqrGGvFf4GZYK4uVJlEoHC =/c3M -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
